Federal law of the Russian Federation on information. Federal Law on Information Security

Solution of problems

Law of the Russian Federation "On Information, Informatization and Information Protection .

Federal Law of February 20, 1995 N 24-FZ "On Information, Informatization and Protection of Information" (as amended on January 10, 2003). Adopted by the State Duma on January 25, 1995.

1. This Federal Law governs relations arising from:

Formation and use information resources based on the creation, collection, processing, accumulation, storage, search, distribution and provision of documented information to the consumer;

Creation and use information technologies and means of their support;

Protection of information, rights of subjects involved in information processes and informatization.

State policy in the field of formation of information resources and informatization is aimed at creating conditions for effective and high-quality information support solving strategic and operational tasks of social and economic development Russian Federation.

The main directions public policy in the field of informatization are:

· Provision of conditions for the development and protection of all forms of ownership of information resources;

· Formation and protection of state information resources;

Creation and development of federal and regional information systems and networks, ensuring their compatibility and interaction in a single information space of the Russian Federation;

· Creation of conditions for high-quality and effective information support of citizens, state authorities, local authorities, organizations and public associations based on state information resources;

· Ensuring national security in the field of informatization, as well as ensuring the implementation of the rights of citizens, organizations in the context of informatization;

· Assistance in the formation of the market of information resources, services, information systems, technologies, means of their support;

· Formation and implementation of a unified scientific, technical and industrial policy in the field of informatization, taking into account the modern world level of development of information technologies;

· Support of projects and programs of informatization;

· Creation and improvement of a system for attracting investments and a mechanism to stimulate the development and implementation of informatization projects;

· Development of legislation in the field of information processes, informatization and information protection.

Protection of information and rights of subjects in the field of information processes and informatization

The objectives of the protection are:

1. prevention of leakage, theft, loss, distortion, forgery of information;

2. prevention of threats to the security of the individual, society, state;

3. prevention of unauthorized actions to destroy, modify, distort, copy, block information; prevention of other forms of illegal interference in information resources and information systems, ensuring the legal regime of documented information as an object of ownership;

4. protection of the constitutional rights of citizens to maintain personal secrecy and confidentiality of personal data available in information systems;

5. preservation of state secrets, confidentiality of documented information in accordance with the legislation;

6. ensuring the rights of subjects in information processes and in the development, production and use of information systems, technologies and means of their support.

Protection of information.

1. Any documented information, the mishandling of which may harm its owner, possessor, user and other person, is subject to protection.

Information protection mode is set:

· In relation to information classified as a state secret - by authorized bodies on the basis of the Law of the Russian Federation "On state secrets";

· In relation to confidential documented information - by the owner of information resources or an authorized person on the basis of this Federal Law;

· In relation to personal data - by the Federal Law.

2. State authorities and organizations responsible for the formation and use of information resources subject to protection, as well as bodies and organizations that develop and apply information systems and information technologies for the formation and use of information resources with limited access, are guided in their activities by the legislation of the Russian Federation.

3. Control over the observance of the requirements for information protection and the operation of special software and hardware means of protection, as well as the provision of organizational measures for the protection of information systems processing information with limited access in non-state structures, are carried out by state authorities. Control is carried out in the manner determined by the Government of the Russian Federation.

4. Organizations processing information with limited access, which is the property of the state, create special services to ensure the protection of information.

5. The owner of information resources or persons authorized by him have the right to monitor compliance with the requirements for the protection of information and prohibit or suspend the processing of information in case of failure to comply with these requirements.

6. The owner or the owner of the documented information has the right to apply to state authorities to assess the correctness of compliance with the norms and requirements for the protection of his information in information systems. The relevant bodies are determined by the Government of the Russian Federation. These authorities respect the confidentiality of the information itself and the results of the audit.

Rights and obligations of subjects in the field of information protection.

1. The owner of documents, an array of documents, information systems or his authorized persons, in accordance with this Federal Law, establish the procedure for providing the user with information, indicating the place, time, responsible officials, as well as the necessary procedures and provide conditions for users to access information.

2. The owner of documents, an array of documents, information systems ensures the level of information protection in accordance with the legislation of the Russian Federation.

3. The risk associated with the use of non-certified information systems and means of their support lies with the owner (possessor) of these systems and means.

The risk associated with the use of information obtained from a non-certified system lies with the consumer of the information.

4. The owner of documents, an array of documents, information systems can apply to organizations that certify the means of protecting information systems and information resources to analyze the adequacy of measures to protect their resources and systems and receive advice.

5. The owner of documents, an array of documents, information systems is obliged to notify the owner of information resources or information systems about all facts of violation of the information protection regime.

Protection of the right to access information.

1. Denial of access to open information or providing users with knowingly inaccurate information may be challenged in court.

Non-fulfillment or improper fulfillment of obligations under the contract for supply, sale and purchase, and other forms of exchange of information resources between organizations are considered by the arbitration court.

In all cases, persons who are denied access to information and persons who received false information are entitled to compensation for the damage they have suffered.

2. The court considers disputes on the unjustified classification of information as information with limited access, claims for damages in cases of unjustified refusal to provide information to users or as a result of other violations of users' rights.

3. Heads, other employees of state authorities, organizations guilty of illegal restriction of access to information and violation of the information protection regime are liable in accordance with criminal, civil legislation and legislation on administrative offenses.

Bibliography.

Federal Law of February 20, 1995 N 24-FZ "On Information, Informatization and Protection of Information" (as amended on January 10, 2003).

Information protection legislation

In providing information security only an integrated approach can bring success. We have already indicated that in order to protect the interests of subjects of information relations, it is necessary to combine measures of the following levels:

· Legislative;

· Administrative (orders and other actions of the management of organizations associated with protected information systems);

· Procedural (people-centered security measures);

· Software and hardware.

The legislative level is the most important for ensuring information security. Most people do not commit illegal actions, not because it is technically impossible, but because it is condemned and / or punished by society, because it is not accepted to do so.

We will distinguish two groups of measures at the legislative level:

· Measures aimed at creating and maintaining in society a negative (including the use of punishments) attitudes towards violations and violators of information security (let's call them restrictive measures);

· Directing and coordinating measures that contribute to improving the education of society in the field of information security, helping in the development and distribution of information security tools (measures of a creative orientation).

In practice, both groups of measures are equally important, but we would like to highlight the aspect of conscious compliance with the rules and regulations of information security. This is important for all subjects of information relations, since it would be naive to rely only on protection by the forces of law enforcement agencies. This is also necessary for those whose duties include punishing violators, since it is impossible to provide evidence in the investigation and trial of computer crimes without special training.

The most important (and probably the most difficult) at the legislative level is to create a mechanism that allows the process of developing laws to be aligned with the realities and progress of information technology. Laws cannot be ahead of life, but it is important that the lag is not too great, since in practice, among other negative aspects, this leads to a decrease in information security.

Legal acts general purposeconcerning information security issues

In accordance with Article 24 of the Constitution, state authorities and local self-government bodies, their officials are obliged to provide everyone with the opportunity to familiarize themselves with documents and materials directly affecting his rights and freedoms, unless otherwise provided by law.

Article 41 guarantees the right to know the facts and circumstances that pose a threat to human life and health, Article 42 - the right to know reliable information about the state of the environment.

In principle, the right to information can be realized by means of paper technologies, but in modern conditions the most practical and convenient for citizens is the creation of information servers by the relevant legislative, executive and judicial authorities and maintaining the availability and integrity of the information presented on them, that is, ensuring them (servers) information security.

Article 23 of the Constitution guarantees the right to personal and family secrets, to privacy of correspondence, telephone conversations, postal, telegraphic and other messages, Article 29 - the right to freely seek, receive, transmit, produce and distribute information in any legal way. The modern interpretation of these provisions includes ensuring the confidentiality of data, including in the process of their transmission over computer networks, as well as access to information security tools.

The Civil Code of the Russian Federation (in our presentation we rely on the edition of May 15, 2001) includes such concepts as banking, commercial and official secrets. According to Article 139, information constitutes an official or commercial secret in the case when information has actual or potential commercial value due to its unknown to third parties, there is no free access to it on a legal basis, and the owner of the information takes measures to protect its confidentiality. This implies, at a minimum, competence in information security and the availability of available (and legal) means of ensuring confidentiality.

The Criminal Code of the Russian Federation (as amended on March 14, 2002) is very advanced in terms of information security. Chapter 28 - "Crimes in the field of computer information" - contains three articles:

· Article 272. Illegal access to computer information;

· Article 273. Creation, use and distribution malware for computers;

· Article 274. Violation of the rules for the operation of computers, computer systems or their networks.

The first deals with encroachments on confidentiality, the second - with malware, the third - with violations of accessibility and integrity, which entailed the destruction, blocking or modification of legally protected computer information. Inclusion of the issues of accessibility of information services in the scope of the Criminal Code of the Russian Federation seems to us very timely.

Article 138 of the Criminal Code of the Russian Federation, protecting the confidentiality of personal data, provides for punishment for violation of the secrecy of correspondence, telephone conversations, postal, telegraph or other messages. Article 183 of the Criminal Code of the Russian Federation plays a similar role for banking and commercial secrets.

The interests of the state in terms of ensuring the confidentiality of information are most fully expressed in the Law "On State Secrets" (with amendments and additions dated October 6, 1997). It defines state secrets as information protected by the state in the field of its military, foreign policy, economic, intelligence, counterintelligence and operational-search activities, the dissemination of which may harm the security of the Russian Federation. The definition of information protection means is also given there. According to this Law, these are technical, cryptographic, software and other means designed to protect information constituting a state secret; means in which they are implemented, as well as means for monitoring the effectiveness of information protection. Let us emphasize the importance of the last part of the definition.

Law "On Information, Informatization and Information Protection"

Foundational among russian lawson information security issues, the law "On Information, Informatization and Protection of Information" of February 20, 1995 No. 24-FZ (adopted by the State Duma on January 25, 1995) should be considered. It provides the basic definitions and outlines the directions of development of legislation in this area.



To quote some of these definitions:

· Information - information about persons, objects, facts, events, phenomena and processes, regardless of the form of their presentation;

Documented information (document) - recorded on tangible medium information with details that allow it to be identified;

· Information processes - processes of collection, processing, accumulation, storage, search and dissemination of information;

· Information system - an organizationally ordered set of documents (arrays of documents) and information technologies, including the use of computer technology and communication, implementing information processes;

· Information resources - individual documents and separate arrays of documents, documents and arrays of documents in information systems (libraries, archives, funds, data banks, other information systems);

· Information about citizens (personal data) - information about the facts, events and circumstances of a citizen's life, allowing to identify his identity;

· Confidential information - documented information, access to which is limited in accordance with the legislation of the Russian Federation;

· User (consumer) of information - a subject who turns to an information system or an intermediary to obtain the information he needs and uses it.

We will, of course, not discuss data quality in the Law of Definitions. Let us pay only attention to the flexibility of the definition of confidential information, which is not limited to information constituting a state secret, as well as to the concept of personal data, which lays the foundation for the protection of the latter.

The law identifies the following information protection goals:

· Prevention of leakage, theft, loss, distortion, forgery of information;

· Prevention of threats to the security of the individual, society, state;

· Prevention of unauthorized actions to destroy, modify, distort, copy, block information;

· Prevention of other forms of illegal interference in information resources and information systems, ensuring the legal regime of documented information as an object of ownership;

· Protection of the constitutional rights of citizens to maintain personal secrecy and confidentiality of personal data available in information systems;

· Preservation of state secrets, confidentiality of documented information in accordance with the legislation;

· Ensuring the rights of subjects in information processes and in the development, production and use of information systems, technologies and means of their support.

It should be noted that the Law gives priority to maintaining the confidentiality of information. Integrity is also presented quite fully, although in second place. Little has been said about accessibility ("preventing unauthorized actions to ... block information").

Let's continue quoting:

"Any documented information is subject to protection, the mishandling of which may harm its owner, possessor, user or other person."

In fact, this provision states that the protection of information is aimed at ensuring the interests of the subjects of information relations.

· In relation to information classified as a state secret - by authorized bodies on the basis of the Law of the Russian Federation "On state secrets";

· In relation to confidential documented information - by the owner of information resources or an authorized person on the basis of this Federal Law;

· With regard to personal data - by federal law. "

Three types of protected information are clearly distinguished here, the second of which includes, in particular, commercial information. Since only documented information is subject to protection, a prerequisite is the fixation of commercial information on a tangible medium and supplying it with details. Note that this part of the Law is only about confidentiality; other aspects of information security are forgotten.

Please note that the protection of state secrets and personal data is undertaken by the state; for another confidential information its owners answer.

How do you protect your information? As a basic law, it offers powerful universal means for this purpose: licensing and certification. We will quote article 19.

1. Information systems, databases and data banks intended for information services to citizens and organizations are subject to certification in the manner prescribed by the Law of the Russian Federation "On Certification of Products and Services".

2. Information systems of state authorities of the Russian Federation and state authorities of constituent entities of the Russian Federation, other state bodies, organizations that process documented information with limited access, as well as means of protection of these systems are subject to mandatory certification. The certification procedure is determined by the legislation of the Russian Federation.

3. Organizations performing work in the field of design, production of information security products and personal data processing receive licenses for this type of activity. The licensing procedure is determined by the legislation of the Russian Federation.

4. The interests of the consumer of information when using imported products in information systems are protected by the customs authorities of the Russian Federation on the basis of international system certification.

Here it is difficult to refrain from a rhetorical question: are there information systems in Russia without imported products? It turns out that in this case, only the customs stands on the protection of consumer interests ...

And a few more points, now from article 22:

2. The owner of documents, an array of documents, information systems ensures the level of information protection in accordance with the legislation of the Russian Federation.

3. The risk associated with the use of non-certified information systems and means of their support lies with the owner (owner) of these systems and means. The risk associated with the use of information obtained from an uncertified system lies with the information consumer.

4. The owner of documents, an array of documents, information systems can apply to organizations that certify the means of protecting information systems and information resources to analyze the adequacy of measures to protect their resources and systems and receive advice.

5. The owner of documents, an array of documents, information systems is obliged to notify the owner of information resources and (or) information systems about all facts of violation of the information protection regime.

From point 5 it follows that all (successful) attacks on IS should be detected. Let us recall in this regard one of the results of the survey (see Lecture 1): about a third of American respondents did not know if their IP had been hacked in the last 12 months. According to our legislation, they could be held accountable ...

2. Protection of the rights of subjects in this area is carried out by a court, an arbitration court, an arbitration court, taking into account the specifics of offenses and damage caused. The paragraphs of Article 5 concerning the legal force of an electronic document and an electronic digital signature are very important:

3. The legal force of a document stored, processed and transmitted using automated information and telecommunication systems can be confirmed by an electronic digital signature. The legal force of an electronic digital signature is recognized if there is software and hardware in the automated information system that ensures signature identification, and if the established regime for their use is observed.

4. The right to certify the identity of an electronic digital signature is exercised on the basis of a license. The procedure for issuing licenses is determined by the legislation of the Russian Federation.

Thus, the Law offers an effective means of controlling the integrity and solving the problem of "non-repudiation" (the inability to refuse one's own signature).

These are the most important, in our opinion, the provisions of the Law "On Information, Informatization and Information Protection". The next page will discuss other laws of the Russian Federation in the field of information security.

Currently, the current legislation has in its base a normative document that regulates the procedure, rules and requirements for providing information. Few know what it is, and even more so those who have nothing to do with jurisprudence. Some of the nuances and norms of this legal act are set out in this article.

Glossary of terms used in the law

Some of the terms and definitions that are used in the said normative act are more clearly defined by the legislator so that citizens do not have doubts or double understanding. So, among these definitions there are the following:

  1. From the point of view of this document, information means any information that can be expressed in the form of messages or in another form. Moreover, they can be provided to third parties in any form.
  2. Information technology - all kinds of legal means, methods, processes used to discover, store, use and apply information.
  3. The owner of information is the person who produced it on his own or received it on the basis of any transaction provided by law from other persons. The owner can also be a legal entity.
  4. Provision of information - this definition means any action that is aimed at transferring it from one person to another. In this case, the recipient can be either a specific person or an indefinite circle of recipients.
  5. Access to information is a legally and physically provided opportunity for recipients to acquire information. The types and forms of this access are determined by the relevant normative documents that regulate certain specific legal relationships in people's lives.
  6. Confidentiality is a requirement for persons who have gained access to information, and consists in prohibiting their disclosure without the permission of the information owner.

These are just a few of the concepts. For more full receipt information about all the definitions used in you need to look directly into it.

Types of information

So what is information? The Law "On Information, Information Technologies and Information Protection" reveals its essence as an object of legal relations. It can be the direct object of not only civil legal relations, but also public, and authoritative, and others. By general rule, the information received is free for distribution. That is, the person who received it has the right to transfer it to other persons. However, this rule only applies in cases where it is not confidential. Confidentiality, in turn, can be established both on the basis of an agreement concluded between the parties, and on the basis of legislation. For example, the law regulating operational-search activities establishes the secrecy of information. Access to it can only be obtained by specially empowered persons. Providing information that has confidentiality is possible only with the consent of its owner or on the basis of a judicial act.

Based on the above, it can be divided into the following categories:

  • distributed freely and without restrictions;
  • the distribution of which is possible only in accordance with the agreement;
  • distribution of which is possible only on the basis of laws;
  • the distribution of which is prohibited on the territory of the Russian Federation or is limited.

Information holders

Let's consider in more detail who is the owner of the information. regulating this issue, it is established that such persons can be individuals, organizations, as well as the Russian Federation itself. Also, the owners can be constituent entities of the Russian Federation and municipalities. If the person in question is the last three named entities, then on their behalf the rights and obligations are exercised by the corresponding authorized officials. The powers of all owners include the following powers:

  • provide or partially provide access to information, establish the procedure for providing information and methods of this access;
  • use proprietary information at your own discretion;
  • provide information to other persons by concluding any agreement or in cases determined by law;
  • defend their rights to information if they are violated by third parties;
  • to exercise other rights provided or not prohibited by law.

In addition to rights, certain responsibilities are assigned to the owner. These include the observance of the interests of third parties, their legal rights. The owner of the information must also protect the information at his disposal, and if it is confidential, then restrict access to it.

Publicly available information

The named type includes all the information that is freely available. Usually this is also information that does not have limited access. The provision of information that is not limited by anyone is essentially free of charge. However, it may have an owner who may require that the persons using it indicate it as the owner.

Right to receive information

Citizens and legal entities can receive information by any not prohibited methods. They can search for it in all public resources or write a statement of information. An example is the Internet, where an unlimited amount of free data is freely available. In addition, these persons have the right to demand that they receive the information they need from state bodies or other organizations. A request for information is sent by him to the owner of the information of interest, who, in turn, considers the request, and if the requested information is not protected by law, is not restricted for distribution, then transfers the information to the applicant. It is understood that a person has the right to receive them if they affect his rights and obligations. a list has been established to which access cannot be prohibited or otherwise restricted. This information:

  • about the state of the environment;
  • on the implementation by state bodies of their activities;
  • on laws and other regulations;
  • located in libraries and other places open to the public;
  • another, authorized for distribution.

To get them, you need to draw up a letter on the provision of information and transfer it to the appropriate authority.

Access limitation

General provisions for restricting access are established in Art. 9 of the regulatory act under consideration. It states that these forms of providing information are regulated by the laws of the Russian Federation. This can be due to various factors. Some of them are: the protection of the country's constitutional order, health and safety of people, their interests, as well as to preserve the defense capability of Russia. These are, of course, not all grounds for restricting access. The legislator has determined that the limitation can be subdivided depending on the nature of the confidentiality of the information. So, she can have banking, office or some other. Accordingly, depending on what type of information belongs to, they are regulated by a special law. For example, the procedure for protecting and distributing banking secrets is described in the legislation regulating banking activities. It is in it that the procedure for disclosing information is described, as well as cases and persons to whom it can be transferred.

Spread

In order to provide information, the regulatory document determines that its distribution takes place in Russia freely, but exclusively in accordance with the laws. It is also determined that the disseminated information must be reliable. This requirement applies not only to the content of the information itself, but also to information about the owner or distributor. In other words, the person receiving the information should freely (if desired) find out who disseminated it. For example, a site that posts any message on the Internet must indicate its name (name of the organization or the full name of a citizen), place of registration or location where you can find the owner (distributor), other contact information, in including phone numbers and addresses email... Special requirements are imposed on such methods of distribution as transmission by sending electronic messages or by mail... In such cases, the sender is obliged to provide the recipient with the opportunity to refuse to receive this information. A good example is an SMS advertising campaign, which senders can send to their customers only after receiving the appropriate permission from them.

Fixing

Forms of providing information provide that in some cases, the information transferred by the parties to each other must be documented. This obligation is assigned to the counterparties either by law or by an agreement signed between them. In government agencies, documentation is mandatory and it is carried out in the manner determined by the government. For this purpose, special rules are issued. For the purposes of implementation between citizens, as well as between organizations, including state ones, the procedure for using electronic signature... In certain situations, the parties are required to transfer information using such a signature.

Protection

The analyzed law "On information, information technology and information protection" establishes measures that must be implemented by the state and other persons in order to protect it. So, among the list of these measures there are organizational, technical and, of course, legal measures. They are undertaken by stakeholders to:

  • the safety of information from encroachments on them by third parties, from their subsequent committing any illegal actions, from destruction, copying or dissemination of information;
  • maintaining secrecy;
  • providing access to information.

The state, exercising its functions, is obliged to take the necessary actions for protection. They are expressed in establishing minimum requirements to relations related to the receipt of information, as well as in determining responsibility for their unlawful disclosure or other illegal actions. Safety requirements include, in particular:

  1. Prevention of unauthorized access and subsequent transfer to third parties who are not authorized to do so.
  2. If possible - establishing the facts of illegal access.
  3. Prevention of negative results that may arise in case of violation of the established procedure for obtaining information.
  4. Constant control.

A responsibility

As mentioned above, one of the functions of the state is to establish measures aimed at protecting information. For these purposes, the legislative body enters into force laws and other normative acts, which provide for liability for the unlawful use of information. Responsibility, of course, is graded depending on the degree of socially dangerous act. It can be covered by different laws and codes. So, if the violation is very serious, then criminal liability can be applied to the culprit. Slightly less dangerous actions may entail liability established by administrative law. As a rule, the punishment for such offenses is limited to fines. If the offense of the guilty person has no signs of either a criminal or an administrative act, then the liability may be disciplinary (if the offender is an employee).

Thus, the considered law defines only the basic provisions governing relations between the parties. More detailed information about how it is distributed, what terms of information provision and other important points are determined by special regulations issued for certain legal relations. Compliance with all the norms of the law by both the owners and the recipient of information in the aggregate will ensure its proper circulation, will not allow third parties to violate the rights and interests of other citizens and organizations.

Adopted by the State Duma on July 8, 2006
Approved by the Federation Council on July 14, 2006

Article 1. Scope of this Federal Law

1. This Federal Law governs relations arising from:

1) exercise of the right to search, receive, transfer, produce and disseminate information;

2) the use of information technology;

3) ensuring the protection of information.

2. The provisions of this Federal Law shall not apply to relations arising from the legal protection of the results of intellectual activity and the means of individualization equivalent to them.

Article 2. Basic concepts used in this Federal Law

The following basic concepts are used in this Federal Law:

1) information - information (messages, data), regardless of the form of their presentation;

2) information technology - processes, methods of searching, collecting, storing, processing, providing, disseminating information and ways of implementing such processes and methods;

3) information system - a set of information contained in databases and information technologies and technical means ensuring its processing;

4) information and telecommunication network - a technological system designed to transmit information over communication lines, access to which is carried out using computer technology;

5) owner of information - a person who independently created information or received, on the basis of a law or an agreement, the right to authorize or restrict access to information determined by any criteria;

6) access to information - the ability to obtain information and use it;

7) confidentiality of information - a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without the consent of its owner;

8) provision of information - actions aimed at obtaining information by a certain circle of persons or transferring information to a certain circle of persons;

9) distribution of information - actions aimed at obtaining information by an indefinite circle of persons or transferring information to an indefinite circle of persons;

10) electronic message - information transmitted or received by the user of the information and telecommunication network;

11) documented information - information recorded on a material medium by documenting information with details that allow one to determine such information or, in cases established by the legislation of the Russian Federation, its material medium;

12) operator of an information system - a citizen or legal entity carrying out activities for the operation of the information system, including the processing of information contained in its databases.

Article 3. Principles of legal regulation of relations in the field of information, information technology and information protection

Legal regulation of relations arising in the field of information, information technology and information protection is based on the following principles:

1) freedom to search, receive, transfer, produce and disseminate information in any legal way;

2) establishment of restrictions on access to information only by federal laws;

3) openness of information on the activities of state bodies and local self-government bodies and free access to such information, except for cases established by federal laws;

4) equality of the languages \u200b\u200bof the peoples of the Russian Federation in the creation of information systems and their operation;

5) ensuring the security of the Russian Federation during the creation of information systems, their operation and protection of the information contained in them;

6) the reliability of information and the timeliness of its provision;

7) inviolability of private life, inadmissibility of collection, storage, use and dissemination of information about the private life of a person without his consent;

8) the inadmissibility of the establishment by regulatory legal acts of any advantages of using some information technologies over others, unless the mandatory use of certain information technologies for the creation and operation of state information systems is not established by federal laws.

Article 4. Legislation of the Russian Federation on information, information technology and information protection

1. The legislation of the Russian Federation on information, information technology and on the protection of information is based on the Constitution of the Russian Federation, international treaties of the Russian Federation and consists of this Federal Law and other federal laws governing the use of information.

2. Legal regulation of relations related to the organization and activities of the media is carried out in accordance with the legislation of the Russian Federation on the media.

3. The procedure for storing and using the documented information included in the archival funds is established by the legislation on archiving in the Russian Federation.

Article 5. Information as an object of legal relations

1. Information can be the object of public, civil and other legal relations. Information can be freely used by any person and transferred by one person to another person, unless federal laws establish restrictions on access to information or other requirements for the procedure for its provision or dissemination.

2. Information, depending on the category of access to it, is divided into publicly available information, as well as information, access to which is limited by federal laws (information of limited access).

3. Information, depending on the procedure for its provision or distribution, is divided into:

1) information freely distributed;

2) information provided by agreement of the persons participating in the relevant relationship;

3) information that, in accordance with federal laws, is subject to provision or distribution;

4) information the dissemination of which in the Russian Federation is restricted or prohibited.

4. The legislation of the Russian Federation may establish the types of information depending on its content or owner.

Article 6. Information holder

1. The owner of information can be a citizen (individual), legal entity, the Russian Federation, a constituent entity of the Russian Federation, a municipal entity.

2. On behalf of the Russian Federation, a constituent entity of the Russian Federation, a municipal formation, the powers of the owner of the information are exercised, respectively, by state bodies and local self-government bodies within the limits of their powers established by the relevant regulatory legal acts.

3. The owner of the information, unless otherwise provided by federal laws, has the right:

1) allow or restrict access to information, determine the procedure and conditions for such access;

2) use the information, including disseminate it, at their own discretion;

3) transfer information to other persons under an agreement or on another basis established by law;

4) protect their rights in the manner established by law in the event of illegal receipt of information or its illegal use by other persons;

5) take other actions with information or authorize the implementation of such actions.

4. The owner of the information, when exercising his rights, shall:

1) observe the rights and legal interests of other persons;

2) take measures to protect information;

3) restrict access to information, if such a duty is established by federal laws.

Article 7. Publicly available information

1. Publicly available information includes generally known information and other information, access to which is not limited.

2. Publicly available information can be used by any person at their discretion, subject to the restrictions established by federal laws with respect to the dissemination of such information.

3. The owner of information that has become publicly available by his decision has the right to demand that the persons disseminating such information indicate themselves as a source of such information.

Article 8. Right to access information

1. Citizens (individuals) and organizations (legal entities) (hereinafter referred to as organizations) have the right to search for and receive any information in any form and from any source, subject to the requirements established by this Federal Law and other federal laws.

2. A citizen (individual) has the right to receive from state bodies, local self-government bodies, their officials in the manner established by the legislation of the Russian Federation, information directly affecting his rights and freedoms.

3. An organization has the right to receive information from state bodies, local self-government bodies that directly relate to the rights and obligations of this organization, as well as information necessary in connection with interaction with these bodies in the implementation of its statutory activities by this organization.

4. Access to:

1) regulatory legal acts affecting the rights, freedoms and obligations of a person and citizen, as well as establishing legal position organizations and powers of state bodies, local self-government bodies;

2) information about the state of the environment;

3) information on the activities of state bodies and local self-government bodies, as well as on the use of budgetary funds (with the exception of information constituting state or official secrets);

4) information accumulated in open funds of libraries, museums and archives, as well as in state, municipal and other information systems created or intended to provide citizens (individuals) and organizations with such information;

5) other information, the inadmissibility of restricting access to which is established by federal laws.

5. State bodies and local self-government bodies are obliged to provide access to information about their activities in Russian and the state language of the corresponding republic within the Russian Federation in accordance with federal laws, laws of the constituent entities of the Russian Federation and regulatory legal acts of local self-government bodies. A person wishing to gain access to such information is not obliged to justify the need to obtain it.

6. Decisions and actions (inaction) of state bodies and local self-government bodies, public associations, officials that violate the right to access information may be appealed to a higher body or a higher official or to a court.

7. If, as a result of unlawful denial of access to information, untimely provision of it, provision of deliberately inaccurate information or information that does not correspond to the content of the request, losses have been caused, such losses are subject to compensation in accordance with civil law.

8. Information is provided free of charge:

1) on the activities of state bodies and local self-government bodies posted by such bodies in information and telecommunication networks;

2) affecting the rights and obligations of the interested person established by the legislation of the Russian Federation;

3) other information specified by law.

9. The establishment of fees for the provision by a state body or a local self-government body of information about its activities is possible only in cases and on conditions established by federal laws.

Article 9. Restricting access to information

1. Restriction of access to information is established by federal laws in order to protect the foundations of the constitutional order, morality, health, rights and legitimate interests of others, to ensure the country's defense and state security.

2. Compliance with the confidentiality of information, access to which is limited by federal laws, is mandatory.

3. Protection of information constituting a state secret is carried out in accordance with the legislation of the Russian Federation on state secrets.

4. Federal laws establish the conditions for classifying information as information constituting a commercial secret, official secret and other secrets, the obligation to observe the confidentiality of such information, as well as responsibility for its disclosure.

5. Information received by citizens ( individuals) in the performance of their professional duties or by organizations in the implementation of certain types of activities (professional secrecy), is subject to protection in cases where these persons are obliged by federal laws to maintain the confidentiality of such information.

6. Information constituting a professional secret may be provided to third parties in accordance with federal laws and (or) by a court decision.

7. The term of fulfillment of obligations to maintain the confidentiality of information constituting a professional secret can be limited only with the consent of the citizen (individual) who provided such information about himself.

8. It is prohibited to demand from a citizen (individual) to provide information about his private life, including information constituting a personal or family secret, and to receive such information against the will of the citizen (individual), unless otherwise provided by federal laws.

9. The procedure for access to personal data of citizens (individuals) is established by the federal law on personal data.

Article 10. Dissemination of information or provision of information

1. In the Russian Federation, the dissemination of information is carried out freely subject to the requirements established by the legislation of the Russian Federation.

2. Information disseminated without using the mass media must include reliable information about its owner or about another person disseminating information, in a form and in an amount that are sufficient to identify such a person.

3. When using for the dissemination of information means allowing to determine the recipients of information, including mail and electronic messages, the person distributing the information is obliged to provide the recipient of the information with the possibility of refusing such information.

4. The provision of information is carried out in the manner established by the agreement of the persons participating in the exchange of information.

5. Cases and conditions of mandatory dissemination of information or provision of information, including provision of mandatory copies of documents, are established by federal laws.

6. It is prohibited to disseminate information that is aimed at promoting war, inciting national, racial or religious hatred and enmity, as well as other information for the dissemination of which criminal or administrative liability is provided.

Article 11. Documenting information

1. The legislation of the Russian Federation or agreement of the parties may establish requirements for documenting information.

2. In federal executive bodies, information is documented in accordance with the procedure established by the Government of the Russian Federation. The rules of office work and document flow established by other state bodies, local self-government bodies within their competence, must comply with the requirements established by the Government of the Russian Federation in terms of office work and document flow for federal executive bodies.

3. An electronic message signed with an electronic digital signature or other analogue of a handwritten signature is recognized electronic document, equivalent to a document signed with a handwritten signature, in cases where federal laws or other regulatory legal acts do not establish or imply a requirement to draw up such a document on paper.

4. In order to conclude civil law contracts or formalize other legal relations in which persons exchanging electronic messages participate, the exchange of electronic messages, each of which is signed with an electronic digital signature or other analogue of the handwritten signature of the sender of such a message, in the manner prescribed by federal laws, other regulatory legal acts or agreement of the parties, is considered an exchange of documents.

5. Ownership and other proprietary rights to tangible media containing documented information are established by civil legislation.

Article 12. State regulation in the field of information technology application

1. State regulation in the field of information technology application provides for:

1) regulation of relations related to the search, receipt, transfer, production and dissemination of information using information technology (informatization), on the basis of the principles established by this Federal Law;

2) development of information systems for various purposes to provide citizens (individuals), organizations, state bodies and local authorities with information, as well as ensuring the interaction of such systems;

3) creation of conditions for effective use of information and telecommunication networks in the Russian Federation, including the Internet and other similar information and telecommunication networks.

2. State bodies, bodies of local self-government in accordance with their powers:

1) participate in the development and implementation of targeted programs for the use of information technologies;

2) create information systems and provide access to the information they contain in Russian and the state language of the corresponding republic within the Russian Federation.

Article 13. Information Systems

1. Information systems include:

1) state information systems - federal information systems and regional information systems created on the basis of federal laws, laws of the constituent entities of the Russian Federation, respectively, on the basis of legal acts of state bodies;

2) municipal information systems created on the basis of a decision of a local government body;

3) other information systems.

2. Unless otherwise established by federal laws, the operator of the information system is the owner of the technical means used to process the information contained in the databases, who lawfully uses such databases, or the person with whom this owner has concluded an agreement on the operation of the information system.

3. The rights of the owner of the information contained in the databases of the information system are subject to protection, regardless of copyright and other rights to such databases.

4. The requirements for state information systems established by this Federal Law shall apply to municipal information systems, unless otherwise provided by the legislation of the Russian Federation on local self-government.

5. Features of the operation of state information systems and municipal information systems can be established in accordance with technical regulations, regulatory legal acts of state bodies, regulatory legal acts of local government bodies that make decisions on the creation of such information systems.

6. The procedure for the creation and operation of information systems that are not state information systems or municipal information systems is determined by the operators of such information systems in accordance with the requirements established by this Federal Law or other federal laws.

Article 14. State information systems

1. State information systems are created in order to exercise the powers of state bodies and to ensure the exchange of information between these bodies, as well as for other purposes established by federal laws.

2. State information systems are created taking into account the requirements stipulated by the Federal Law of July 21, 2005 N 94-FZ "On placing orders for the supply of goods, performance of work, provision of services for state and municipal needs."

3. State information systems are created and operated on the basis of statistical and other documented information provided by citizens (individuals), organizations, state bodies, local government bodies.

4. Lists of types of information provided on a mandatory basis are established by federal laws, the conditions for its provision - by the Government of the Russian Federation or the relevant state bodies, unless otherwise provided by federal laws.

5. Unless otherwise established by the decision on the creation of a state information system, the functions of its operator shall be performed by the customer who has entered into a state contract for the creation of such an information system. At the same time, the commissioning of the state information system is carried out in the manner prescribed by the specified customer.

6. The Government of the Russian Federation has the right to establish mandatory requirements for the procedure for commissioning certain state information systems.

7. Operation of the state information system is not allowed without proper registration of rights to use its components, which are objects of intellectual property.

8. Technical means intended for processing information contained in state information systems, including software technical means and information protection means must comply with the requirements of the legislation of the Russian Federation on technical regulation.

9. Information contained in state information systems, as well as other information and documents at the disposal of state bodies are state information resources.

Article 15. Use of information and telecommunication networks

1. On the territory of the Russian Federation, the use of information and telecommunication networks is carried out in compliance with the requirements of the legislation of the Russian Federation in the field of communications, this Federal Law and other regulatory legal acts of the Russian Federation.

2. Regulation of the use of information and telecommunication networks, access to which is not limited to a certain circle of persons, is carried out in the Russian Federation, taking into account the generally accepted international practice of the activities of self-regulatory organizations in this area. The procedure for using other information and telecommunication networks is determined by the owners of such networks, taking into account the requirements established by this Federal Law.

3. The use on the territory of the Russian Federation of information and telecommunication networks in economic or other activities may not serve as a basis for establishing additional requirements or restrictions regarding the regulation of these activities carried out without the use of such networks, as well as for non-compliance with the requirements established by federal laws.

4. Federal laws may provide for mandatory identification of individuals, organizations using an information and telecommunications network in the implementation of entrepreneurial activities. In this case, the recipient email, located on the territory of the Russian Federation, has the right to conduct a check, which makes it possible to identify the sender of an electronic message, and in cases established by federal laws or by agreement of the parties, it is obliged to carry out such a check.

5. The transfer of information through the use of information and telecommunication networks is carried out without restrictions, provided that the requirements established by federal laws for the dissemination of information and the protection of intellectual property are observed. The transfer of information can be limited only in the manner and on the conditions established by federal laws.

6. The specifics of connecting state information systems to information and telecommunication networks may be established by a regulatory legal act of the President of the Russian Federation or a regulatory legal act of the Government of the Russian Federation.

Article 16. Protection of information

1. Information protection is the adoption of legal, organizational and technical measures aimed at:

1) ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information;

2) observance of confidentiality of information of limited access,

3) the exercise of the right to access information.

2. State regulation of relations in the field of information protection is carried out by establishing requirements for the protection of information, as well as liability for violation of the legislation of the Russian Federation on information, information technology and information protection.

3. Requirements for the protection of publicly available information may be established only to achieve the goals specified in clauses 1 and 3 of part 1 of this article.

4. The owner of the information, the operator of the information system in the cases established by the legislation of the Russian Federation, are obliged to ensure:

1) prevention of unauthorized access to information and (or) transfer of it to persons who do not have the right to access information;

2) timely detection of facts of unauthorized access to information;

3) prevention of the possibility of adverse consequences of violation of the procedure for access to information;

4) prevention of impact on technical means of information processing, as a result of which their functioning is disrupted;

5) the possibility of immediate recovery of information modified or destroyed due to unauthorized access to it;

6) constant control over ensuring the level of information security.

5. Requirements for the protection of information contained in state information systems are established by the federal executive body in the field of security and the federal executive body authorized in the field of countering technical intelligence and technical protection information within their powers. When creating and operating state information systems, the methods and methods of protecting information used to protect information must comply with the specified requirements.

6. Federal laws may establish restrictions on the use of certain means of protecting information and implementing certain types activities in the field of information security.

Article 17. Responsibility for offenses in the field of information, information technology and information protection

1. Violation of the requirements of this Federal Law entails disciplinary, civil, administrative or criminal liability in accordance with the legislation of the Russian Federation.

2. Persons whose rights and legitimate interests have been violated in connection with the disclosure of information of limited access or other unlawful use of such information, have the right to contact established order for judicial protection of their rights, including claims for damages, compensation for moral harm, protection of honor, dignity and business reputation. A claim for damages cannot be satisfied if it is presented by a person who did not take measures to maintain confidentiality of information or violated the requirements for information protection established by the legislation of the Russian Federation, if the adoption of these measures and compliance with such requirements were the obligations of this person.

3. If the dissemination of certain information is limited or prohibited by federal laws, civil liability for the dissemination of such information shall not be borne by the person providing the services:

1) either on the transfer of information provided by another person, subject to its transfer without changes and corrections;

2) either on storing information and providing access to it, provided that this person could not know about the illegality of the dissemination of information.

Article 18.On invalidation of certain legislative acts (provisions of legislative acts) of the Russian Federation

From the date of entry into force of this Federal Law, to declare invalid:

1) Federal Law of February 20, 1995 N 24-FZ "On Information, Informatization and Protection of Information" (Collected Legislation of the Russian Federation, 1995, N 8, Art. 609);

2) Federal Law of July 4, 1996 N 85-FZ "On participation in international information exchange" (Collected Legislation of the Russian Federation, 1996, N 28, Art. 3347);

3) Article 16 of the Federal Law of January 10, 2003 N 15-FZ "On Amendments and Additions to Certain Legislative Acts of the Russian Federation in Connection with the Adoption of the Federal Law" On Licensing Certain Types of Activities "(Collected Legislation of the Russian Federation, 2003, N 2 , p. 167);

4) Article 21 of the Federal Law of June 30, 2003 N 86-FZ "On Amendments and Additions to Certain Legislative Acts of the Russian Federation, invalidation of certain legislative acts of the Russian Federation, the provision of certain guarantees to employees of internal affairs bodies, bodies for control over turnover narcotic drugs and psychotropic substances and abolished federal tax police bodies in connection with the implementation of measures to improve public administration "(Collected Legislation of the Russian Federation, 2003, N 27, Art. 2700);

5) Article 39 of the Federal Law of June 29, 2004 N 58-FZ "On Amendments to Certain Legislative Acts of the Russian Federation and the Recognition of Invalidation of Certain Legislative Acts of the Russian Federation in Connection with the Implementation of Measures to Improve Public Administration" (Collected Legislation of the Russian Federation, 2004, N 27, Art.2711).

The president
Russian Federation
V. Putin

The law "On Information, Informatization and Protection of Information" of February 20, 1995, No. 24-FZ (adopted by the State Duma on January 25, 1995) should be considered fundamental among Russian laws on information security. It provides basic definitions and outlines the directions of development of legislation in this area.

To quote some of these definitions:

    information - information about persons, objects, facts, events, phenomena and processes, regardless of the form of their presentation;

    documented information (document) - information recorded on a material carrier with details that allow it to be identified;

    information processes - processes of collection, processing, accumulation, storage, search and dissemination of information;

    information system - an organizationally ordered set of documents (arrays of documents) and information technologies, including the use of computer technology and communication, implementing information processes;

    informational resources - individual documents and separate arrays of documents, documents and arrays of documents in information systems (libraries, archives, funds, data banks, other information systems);

    information about citizens (personal data) - information about the facts, events and circumstances of the citizen's life, allowing to identify his personality;

    confidential information - documented information, access to which is limited in accordance with the legislation of the Russian Federation;

    user (consumer) of information - a subject who turns to an information system or an intermediary to obtain the information he needs and uses it.

We will, of course, not discuss data quality in the Law of Definitions. Let us pay only attention to the flexibility of the definition of confidential information, which is not limited to information constituting a state secret, as well as to the concept of personal data, which lays the foundation for the protection of the latter.

The law identifies the following information protection goals:

    prevention of leakage, theft, loss, distortion, forgery of information;

    prevention of threats to the security of the individual, society, state;

    prevention of unauthorized actions to destroy, modify, distort, copy, block information;

    prevention of other forms of illegal interference in information resources and information systems, ensuring the legal regime of documented information as an object of ownership;

    protection of the constitutional rights of citizens to maintain personal secrecy and confidentiality of personal data available in information systems;

    preservation of state secrets, confidentiality of documented information in accordance with the law;

    ensuring the rights of subjects in information processes and in the development, production and application of information systems, technologies and means of their support.

Note that the Law prioritizes the preservation of confidentiality of information. Integrity is also presented quite fully, although in second place. Little has been said about accessibility ("preventing unauthorized actions to ... block information").

Let's continue quoting:

"Any documented information, the mishandling of which may harm its owner, possessor, user or other person, is subject to protection."

In fact, this provision states that information protection is aimed at ensuring the interests of the subjects of information relations.

    in relation to information classified as a state secret - by authorized bodies on the basis of the Law of the Russian Federation "On state secrets";

    in respect of confidential documented information - by the owner of information resources or an authorized person on the basis of this Federal Law;

    with regard to personal data - by federal law. "

Three types of protected information are clearly identified here, the second of which includes, in particular, commercial information. Since only documented information is subject to protection, a prerequisite is the fixation of commercial information on a tangible medium and supplying it with details. Note that this part of the Law is only about confidentiality; other aspects of information security are forgotten.

Note that the protection of state secrets and personal data is undertaken by the state; other confidential information is the responsibility of its owners.

How do you protect your information? As a basic law, it offers powerful universal means for this purpose: licensing and certification. We will quote article 19.

    Information systems, databases and data banks intended for information services to citizens and organizations are subject to certification in the manner prescribed by the Law of the Russian Federation "On Certification of Products and Services".

    Information systems of state authorities of the Russian Federation and state authorities of constituent entities of the Russian Federation, other state bodies, organizations that process documented information with limited access, as well as means of protection of these systems are subject to mandatory certification. The certification procedure is determined by the legislation of the Russian Federation.

    Organizations performing work in the field of design, production of information security products and personal data processing receive licenses for this type of activity. The licensing procedure is determined by the legislation of the Russian Federation.

    The interests of the consumer of information when using imported products in information systems are protected by the customs authorities of the Russian Federation on the basis of the international certification system.

Here it is difficult to refrain from a rhetorical question: are there information systems in Russia without imported products? It turns out that in this case, only the customs is protecting the interests of consumers ...

And a few more points, now from article 22:

2. The owner of documents, an array of documents, information systems ensures the level of information protection in accordance with the legislation of the Russian Federation.

3. The risk associated with the use of non-certified information systems and means of their support lies with the owner (owner) of these systems and means. The risk associated with the use of information obtained from an uncertified system lies with the consumer of the information.

4. The owner of documents, an array of documents, information systems can apply to organizations that certify means of protecting information systems and information resources to analyze the sufficiency of measures to protect their resources and systems and receive advice.

5. The owner of documents, an array of documents, information systems is obliged to notify the owner of information resources and (or) information systems about all facts of violation of the information protection regime.

From point 5 it follows that all (successful) attacks on IS should be detected. Let us recall in this regard one of the results of the survey (see Lecture 1): about a third of American respondents did not know if their IP was hacked in the last 12 months. According to our legislation, they could be held accountable ...

2. Protection of the rights of subjects in this area is carried out by a court, an arbitration court, an arbitration court, taking into account the specifics of offenses and damage caused. Very important are the paragraphs of Article 5 concerning the legal effect electronic document and electronic digital signature:

3. The legal force of a document stored, processed and transmitted using automated information and telecommunication systems can be confirmed by an electronic digital signature. The legal force of an electronic digital signature is recognized if there are software and hardware tools in the automated information system that ensure signature identification, and if the established regime for their use is observed.

4. The right to certify the identity of an electronic digital signature is exercised on the basis of a license. The procedure for issuing licenses is determined by the legislation of the Russian Federation.

Thus, the Law offers an effective means of controlling the integrity and solving the problem of "non-repudiation" (the inability to refuse one's own signature).

These are the most important, in our opinion, provisions of the Law "On Information, Informatization and Information Protection". The next page will discuss other laws of the Russian Federation in the field of information security.

Did you like the article? To share with friends:
You may also be interested in